CRITICALSecuritymediumNext.js + Supabase Standards

Use three distinct Supabase client types

Use createClient() for authenticated pages (RLS enforced), createAdminClient() for server-side writes (service_role), and createReadOnlyClient() for public pages (anon key).

Why This Matters

Using the wrong client type either exposes data (admin client in page) or blocks legitimate access (authenticated client for public content). Each has different security characteristics.

Related Rules

Use route groups to organize app sections

Architecture

HIGH

Colocate page files with their route segment

Architecture

MEDIUM

Use (select auth.uid()) instead of auth.uid() in policies

Performance

MEDIUM

Use kebab-case for file and directory names

Quality

MEDIUM

Catch this automatically on every PR

BeforeMerge scans your pull requests against this rule and 3+ others. Get actionable feedback before code ships.

Join Waitlist Browse All Rules

Why This Matters

Each client type has different security characteristics:

Client	RLS	Use Case
`createClient()`	Enforced	Dashboard pages, user-facing queries
`createAdminClient()`	Bypassed	Server actions for writes, cron jobs
`createReadOnlyClient()`	Enforced (anon)	Public pages (explore, content)

Good

// Page component — RLS enforced
const supabase = await createClient()
const { data } = await supabase.from("scans").select("*")
 
// Server action — needs service_role for writes
const admin = createAdminClient()
await admin.from("scans").insert({ ... })

Bad

// Page component using admin client — bypasses RLS!
const admin = createAdminClient()
const { data } = await admin.from("scans").select("*") // sees ALL orgs!

Use three distinct Supabase client types

Why This Matters

Tags

Related Rules

Catch this automatically on every PR

Why This Matters

Good

Bad